Being a fan of the series Mr.Robot, I decided to exploit this vulnerable machine added by Jason.

Someone once said that the best way to be prepared for a hack when it happens, is to be hacked. So, let’s hack Mr. Robot 🙂

Starting with enumeration, I fired-up nikto, that reveals a lot of useful information:

I’ve tried also nmap, but the opened ports are only on 80 and 443. No sneaky port here.

Checking the results of nikto, reveals that on this machine is a file robots.txt. Need to verify this…and..voilà:

Key-1-of-3 seems to be our first flag 🙂

I’ve saved the dictionary locally, maybe later it will be useful for a brute force or something. Add in the URL /key-1-of-3.txt and received the content of the file: 073403c8a58a1f80d943455fb30724b9

But nikto revealed also a /wp-login.php and had to see what I can get from it.

Let’s try some usernames and passwords. Thinking of the characters from the serial, I’ve checked for Mr Robot, and after that for Elliot. The result is awesome, taking into consideration that was the second shot for the username:

Seems that the password I entered is incorrect. First thing in mind: brute force with Intruder.

Running wpscan to enumerate the users will not work this time, but we can use wfuzz for this.

First we will optimize the dictionary file fsociety.dic as is full of duplicates:

cat fsocity.dic|sort| uniq > mr_robot.dic

Next, we will start wfuzz wich will try all the words in the dictionary file in about 3 minutes:

Brute-forcing the user elliot with Burp Intruder will give us the password:

After logging into the wordpress administrative interface we need to find something else to get to the second flag.

One of the most common ways to execute commands while having administrator rights in wordpress is to try to upload a PHP file or insert some PHP code into one of the template`s files. Go to Apperence > Editor, and on the right of the page choose 404 Template, and insert here the PHP code that will initiate a reverse-connection back to our kali machine.

We continue by doing some enumeration, like finding what users are present on the system:

We notice the user robot and we find in his home directory our next hint:

By doing a quick look-up on google with the MD5 hash, we have now what it seems to be the password for robot user. This will take us to the second flag:

Now it’s time for some more enumeration in order to escalate our privileges to root.

Looking for files with special permissions will return as nmap among other files:

We remember an article from Go Null Yourself e-zine called Stupid shell tricks which can be found here: https://www.exploit-db.com/papers/18168/ where nmap interactive mode is mentioned as a mean of backdooring a system and we try to exploit this “feature”: